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Abstract — We give new combinatorial constructions for codes 
providing authentication and secrecy for equiprobable source 
probability distributions. In particular, we construct an infinite 
class of optimal authentication codes which are multiple-fold 
secure against spoofing and simultaneously achieve perfect 
secrecy. Several further new optimal codes satisfying these 
properties will also be constructed and presented in general 
tables. Almost all of these appear to be the first authentication 
codes with these properties. 

I. Introduction 

The construction of authentication codes is an important 
topic in cryptography, and has been considered by many 
researchers over the last few decades. The first construction of 
such codes go back to Gilbert, MacWilliams and Sloane [5], 
using finite projective planes. 

In this paper, we consider combinatorial constructions for 
codes providing authentication and secrecy for equiprobable 
source probability distributions. For general authentication 
codes without any secrecy requirements, there exist various 
constructions for a long time, regardless of the source dis- 
tribution. However, if we wish that the authentication codes 
simultaneously provide for secrecy, then there are only a 
few constructions known, see e.g. [4], [8], [9], [13]. These 
constructions are mostly of combinatorial nature, using combi- 
natorial i-designs, perpendicular arrays, or orthogonal arrays. 
An algebraic approach [4] is based on (non-)linear functions 
between finite Abelian groups. In particular, Stinson [13] 
constructed in 1990 optimal authentication codes that are one- 
fold secure against spoofing and achieve perfect secrecy. His 
constructions rely on Steiner 2-designs and assume that the 
source states are equiprobable distributed (cf. Theorems 4 
and 5). 

We will extend Stinson's constructions to obtain optimal 
codes which are multi-fold secure against spoofing and provide 
perfect secrecy. This can be achieved by means of Steiner 
<-designs for larger t. Using Mobius planes, and more gen- 
erally spherical geometries, we will particularly construct a 
new infinite class of optimal codes which are two-fold secure 
against spoofing and achieve perfect secrecy (Section V). Sev- 
eral further new optimal codes satisfying these properties will 
be constructed and presented in general tables (Section VI). 
Almost all of these appear to be the first authentication codes 
with these properties. 



The paper uses concepts from both combinatorial design 
theory and the theory of authentication codes. Relevant defini- 
tions will be summarized (Sections II and III) as well as results 
on general authentication codes that are important for our 
purposes (Section IV). The paper concludes with a discussion 
on further research directions (Section Vll). 

II. Authentication and Secrecy Model 

We rely on the unconditional (theoretical) secrecy model 
developed by Shannon [10], and by Simmons (e.g. [12]) 
including authentication. We follow the description and notion 
of [8], [13]. We also mention the recent reference work [9]. 

In this model of authentication and secrecy three partici- 
pants are involved; a transmitter, a receiver, and an opponent. 
The transmitter wants to communicate information to the 
receiver via a public communications channel. The receiver 
in return would like to be confident that any received infor- 
mation actually came from the transmitter and not from some 
opponent {integrity of information). The transmitter and the 
receiver are assumed to trust each other Sometimes this is 
also called an A-code. 

Let S denote a set of k source states (or plaintexts), A4 a 
set of V messages (or ciphertexts), and £ a set of h encoding 
rules (or keys). Using an encoding rule e G £, the transmitter 
encrypts a source state s e 5 to obtain the message m = e(s) 
to be sent over the channel. The encoding rule is an injective 
function from iS to A^, and is communicated to the receiver 
via a secure channel prior to any messages being sent. For each 
encoding rule e € £, let M{e) :— {e(s) : s e 5} denote the 
set of valid messages. A received message m will be accepted 
by the receiver as being authentic if and only if to G A/(e). 
When this is fulfilled, the receiver decrypts the message m by 
applying the decoding rule e"^, where 

e~^{m) = s 4^ e(s) = to. 

An authentication code can be represented algebraically by a 
(6 X k)-encoding matrix with the rows indexed by the encoding 
rules, the columns indexed by the source states, and the entries 
defined by a^s '■— e(s) {1 < e < b, 1 < s < k). 

A. Spoofing Attack and Perfect Secrecy 

We are interested in the following scenario, which is called 
spoofing attack of order i: Suppose that an opponent observes 



i > distinct messages, which are sent through the pubhc 
channel using the same encoding rule. The opponent then 
inserts a new message m' (being distinct from the i messages 
already sent), hoping to have it accepted by the receiver as 
authentic. The cases i = and i = 1 are called impersonation 
game and substitution game, respectively. These cases have 
been studied in detail in recent years, whereas less is known 
for the cases i > 2. 

We assume that there are probability distributions ps on 
S and pe on £ (known to all participants) with associated 
independent random variables S and E, respectively. These 
distributions induce a third distribution, p^, on M with 
associated random variable M. The deception probability Pd^ 
is the probability that the opponent can deceive the receiver 
with a spoofing attack of order i. 

Theorem 1: [Massey] In an authentication code with k 
source states and v messages, the deception probabilities are 
bounded below by 

„ k — i 

PrL > -. 



An authentication code is called t-fold secure against spoof- 
ing if Pd, = (k- i)/{v - i) foT < i < t. 

In what follows, we are also interested in the property of 
secrecy: An authentication code is said to have perfect secrecy 
if 

ps{s\m) = ps{s) 

for every source state s £ S and every message m € A4. That 
is, the a posteriori probability that the source state is s, given 
that the message m is observed, is identical to the a priori 
probability that the source state is s. It can easily be shown 
that 



Ps{s\m) 



J2{eGe:e{.)=m}PE{e)Ps{s) 
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As a consequence, we have 

Lemma 1: [Stinson] An authentication code has perfect 
secrecy if and only if 



E 



PE{e) = ^ PE{e)ps{e ^(m)) 



{ee£:m£M{e)} 



for every source state s and every message m. 

Thus, if the encoding rules in a code are used with equal 
probability, then a given message m occurs with the same 
frequency in each column of the encoding matrix. 

III. Combinatorial Design Theory 

For positive integers t < k < v and A, a t-{v, k, A) design 
I? is a pair {X, B), satisfying the following properties: 

(i) X is a set of v elements, called points, 

(ii) ,B is a family of fc-subsets of X, called blocks, 

(m) every f-subset of X is contained in exactly A blocks. 
We will denote points by lower-case and blocks by upper-case 
Latin letters. Via convention, let b \B\ denote the number 
of blocks. Throughout this article, 'repeated blocks' are not 
allowed, that is, the same /c-subset of points may not occur 



twice as a block. If t < k < v holds, then we speak of a non- 
trivial t-design. For historical reasons, a t-{v, k, A) design with 
A = 1 is called a Steiner t-design (sometimes also a Steiner 
system). As a simple example, let us choose as point set X = 
{1,2,3,4,5,6,7} and as block set B = {{1, 2, 4}, {2, 3, 5}, 
{3, 4, 6}, {4, 5, 7}, {1,5, 6}, {2, 6, 7}, {1,3, 7}}. This gives a 
Steiner 2-(7, 3, 1) design, the well-known Fano plane, which 
is the smallest design arising from a projective geometry. The 
usual representation of this unique projective plane of order 2 
is given by the following diagram: 




1 7 3 

Fig. I. The Fano plane 

If a 2-design has, like in this example, equally many points 
and blocks, i.e. v — b, then we usually speak of a symmetric 
design. For the existence of i-designs, basic necessary condi- 
tions can be obtained via elementary counting arguments (see, 
for instance, [1]): 

Lemma 2: Let V = {X, B) be a t-{v, k, A) design, and for 
a positive integer s < t, let S C X with \S\ = s. Then the 
number of blocks containing each element of S is given by 



A, = A 



(HI 



In particular, for t > 2, a t-{v,k,X) design is also an 
s-{v, k, As) design. 

It is customary to set r :— Ai denoting the number of blocks 
containing a given point (referring to the 'replication number' 
from statistical design of experiments, one of the origins of 
design theory). It follows 

Lemma 3: Let T> = (X, B) be a t-{v,k, A) design. Then 
the following holds: 

(a) bk — vr. 
(b) 

(c) r{k - 1) = A2(w - 1) for t > 2. 

There are many infinite classes of Steiner t-designs for t = 2 
and 3, however for t = 4 and 5 only a finite number are known. 
For encyclopedic accounts of key results in design theory as 
well as existence tables with known parameter sets, we refer 
to [1], [2]. 

Problem 1: Does there exist any non-trivial Steiner i-design 
with t > 6? 



IV. General Authentication Codes 

For general authentication codes, no secrecy requirements 
are specified. We summarize the state-of-the-art with respect 
to our further purposes: 

The following theorem (cf. [8], [11]) gives a lower bound 
on the number of encoding rules for any source probability 
distribution. 

Theorem 2: [Massey-Schobi] If a general authentication 
code is [t — l)-fold against spoofing, then the number of 
encoding rules is bounded below by 



As usual, we call a code optimal if the number of encoding 
rules meets the lower bound with equality. When the source 
states are known to be independent and equiprobable, optimal 
authentication codes which are [t — l)-fold against spoofing 
can be constructed via t-designs (cf. [3], [11], [13]): 

Theorem 3: [DeSoete-Schobi-Stinson] Suppose there is a 
t-{v,k,X) design. Then there is an authentication code for k 
equiprobable source states, having v messages and A • ( j)/ (j) 
encoding rules, that is {t — l)-fold secure against spoofing. 
Conversely, if there is an authentication code for k equiprob- 
able source states, having v messages and encoding 
rules, that is {t — l)-fold secure against spoofing, then there 
is a Steiner t-{v, k, 1) design. 

V. Authentication Codes with Perfect Secrecy 

Stinson [13, Thm. 6.4] constructed in 1990 the first optimal 
authentication codes that are one-fold secure against spoofing 
and simultaneously achieve perfect secrecy. His constructions 
rely on Steiner 2-designs and assume that the source states are 
equiprobable distributed. 

Theorem 4: [Stinson] Suppose there is a Steiner 2-(w, /c, 1) 
design, where v divides the number of blocks h. Then there 
is an optimal authentication code for k equiprobable source 
states, having v messages and v{v — l)/k{k — 1) encoding 
rules, that is one-fold secure against spoofing and provides 
perfect secrecy. 

Using Steiner 2-( '^ q-T^ ' 9 + 1' 1) designs whose points and 
blocks are the points and lines of projective spaces PG{d, q), 
Stinson [13, Thm. 6.5] constructed this way an infinite class 
of authentication codes with the following properties: 

Theorem 5: [Stinson] For all prime powers q and for all 
even d > 2, there is an optimal authentication code for an 
equiprobable source probability distribution with q+1 source 
states, having {q'^^^ — l)/{q — 1) messages, that is one-fold 
secure against spoofing and provides perfect secrecy. 

The smallest example is as follows (cf. [13, Ex. 6.1]): 

Example 1: An optimal authentication code for k — 2> 
equiprobable source states, having v — 7 messages, and h = 7 
encoding rules, that is one-fold secure against spoofing and 
provides perfect secrecy can be constructed from a Steiner 
2-(7, 3, 1) design, i.e. the unique Fano plane illustrated in 
Fig. 1. Each encoding rule is used with probability 1/7. An 
encoding matrix is given in Table I. 



TABLE I 

Authentication CODE from the Fano plane 





S\ 


S2 


S3 


ei 


1 


2 


4 


62 


2 


3 


5 


63 


3 


4 


6 


64 


4 


5 


7 


65 


5 


6 


1 


66 


6 


7 


2 


67 


7 


1 


3 



We will extend Stinson's constructions to obtain optimal 
codes which are multi-fold secure against spoofing and provide 
perfect secrecy. This can be achieved by means of Steiner 
t-designs for larger t. 

Theorem 6: Suppose there is a Steiner t-{v,k,\) design, 
where v divides the number of blocks h. Then there is an 
optimal authentication code for k equiprobable source states, 
having v messages and ( J!) / (^) encoding rules, that is (t — 1)- 
fold secure against spoofing and provides perfect secrecy. 

Proof: Let T) = {X,B) be a Steiner t-{v,k,l) design, 
where v divides b. We mimic the proof of [13, Thm. 6.4]. 
Clearly, the authentication capacity of the code follows via 
Theorem 3. To establish perfect secrecy under the assumption 
that the encoding rules are used with equal probability, it is 
necessary in view of Lemma 1 that a given message occurs 
with the same frequency in each column of the resulting 
encoding matrix. This can be done by ordering every block 
of V in such a way that every point occurs in each possible 
position in precisely b/v blocks. Since every point occurs in 
exactly r — (^ZD/CtZl) blocks due to Lemma 3 (c), neces- 
sarily clearly k must divide r. To show that the condition is 
also sufficient, we consider the bipartite point-block incidence 
graph of V with vertex set X U B, where (x, B) is an edge if 
and only if x ^ B for x ^ X and B ^ B. An ordering on each 
block of V can be obtained via an edge-coloring of this graph 
using k colors in such a way that each vertex B ^ Bis adjacent 
to one edge of each color, and each vertex x ^ X is adjacent 
to b/k edges of each color. Technically, this can be achieved 
by first splitting up each vertex x into b/k copies, each having 
degree k, and then by finding an appropriate edge-coloring of 
the resulting fc-regular bipartite graph using k colors. Taking 
the ordered blocks as encoding rules, each used with equal 
probability, establishes the claim. ■ 

Relying on Mobius planes, and more generally on spherical 
geometries, we can now construct a new infinite class of 
optimal codes which are two-fold secure against spoofing and 
achieve perfect secrecy. 

Theorem 7: For all prime powers q and for all even d> 2, 
there is an optimal authentication code for an equiprobable 
source probability distribution with q+l source states, having 
q"^ + 1 messages, that is two-fold secure against spoofing and 
provides perfect secrecy. 

Proof: Steiner designs can be constructed from spherical 
geometries as follows: Let q be a prime power, and d > 2 an 



integer. As point set X choose the elements of the projective 
hne GF{q'^) U {00} over the Galois field GF{q'^), where 00 
denotes a symbol with 00 GF{q'^). The linear fractional 
group 

PGL{2, = {a; S|±^ . a, b,c,de GF(q''), ad-bc ^ 0} 

acts on GF{q'^) U {00} in the natural manner (with the 
usual conventions for 00). As block set B take the im- 
ages of GF{q) U {00} under PGL{2, g'^). This gives a 
3-(q'^ + 1,9+1,1) design with PGL{2, q'^) as group of au- 
tomorphisms. These designs were first described by Witt [14]. 
For d — 2, they are often called Mobius planes (or inversive 
planes) of order q. 

Now, if we assume that d is even, then 

- 1 1 - 1 

and hence 

(q + l)q{q-l)\q%q''-l). 

Therefore, v divides h, and the claim follows by applying 
Theorem 6. ■ 
We present the smallest example: 

Example 2: An optimal authentication code for k = A 
equiprobable source states, having v — 10 messages, and 
6 = 30 encoding rules, that is two-fold secure against spoofing 
and provides perfect secrecy can be constructed from a Steiner 
3-(10,4, 1) design, i.e. the unique Mobius plane of order 3. 
Each encoding rule is used with probability 1/30. We give an 
encoding matrix in Table II. 

Remark 1: We mention that the group PGL{2, q'^) acts 
transitively on incident point-block pairs, i.e. on the flags, of 
the Steiner 3-(g'^ + 1, g + 1,1) design. This reveals a high de- 
gree of regularity of the combinatorial structure. Basically all 
flag-transitive Steiner i-designs have been determined recently, 
see [6]. Various further interactions between highly regular 
combinatorial structures and applications in information and 
coding theory can be found, e.g., in [7]. 

VI. Further Constructions 

We will construct several further new optimal authentica- 
tion codes for equiprobable source distributions, which are 
(t— l)-fold secure against spoofing and simultaneously achieve 
perfect secrecy. All codes with i > 3 appear to be the first 
authentication codes satisfying these properties. 

In view of Theorem 6, we have to check whether the 
parameters of known Steiner i-(t>,fc, 1) designs satisfy the 
condition that v divides the number of blocks b = (t)/(t)- 
We recall that there are two infinite classes of optimal authen- 
tication codes: one arises from projective geometries (Theo- 
rem 5) and the other from spherical geometries (Theorem 7). 
We can construct further infinite families of optimal codes for 
d. fixed number of source states as follows: 

• A Steiner 2-(u, 3, 1) design (so-called Steiner triple sys- 
tem) exists if and only if = 1 or 3 (mod 6). Hence, 
if u = 1 (mod 6), then an optimal authentication code 
can be constructed for fc = 3 equiprobable source states. 



TABLE II 

Authentication code from the Mobius plane of order 3 
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S2 


S3 


S4 


61 
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5 
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63 
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6 
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64 
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5 


7 


8 


65 


5 


6 


8 


9 


66 


6 


7 


9 





67 


7 


8 





1 


6g 


8 


9 


1 


2 


69 


9 





2 


3 


610 





1 


3 


4 


Cll 
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3 


7 


612 


2 


3 


4 


8 


^13 
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5 


9 


614 
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5 


6 





615 
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7 


1 


6lg 


6 


7 


8 
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617 


7 


8 
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3 


618 


8 


9 
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619 


9 
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620 
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2 
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621 
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3 


5 


8 


622 


2 


4 


6 


9 


623 


3 


5 


7 





624 
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6 


8 


1 


625 


5 


7 


9 


2 


626 


6 


8 





3 


627 


7 


9 


1 


4 


628 


8 





2 


5 


629 


9 


1 


3 


6 


630 





2 


4 


7 



having v messages, and viy — l)/6 encoding rules, that 
is one-fold secure against spoofing and provides perfect 
secrecy. 

• A Steiner 2-(7j,4, 1) design exists if and only if u = 1 
or 4 (mod 12). Hence, if w = 1 (mod 12), then 
an optimal authentication code can be constructed for 
k — 4 equiprobable source states, having v messages, 
and v{v — 1)/12 encoding rules, that is one-fold secure 
against spoofing and provides perfect secrecy. 

• A Steiner 2-(ti, 5, 1) design exists if and only if v = 1 
or 5 (mod 20). Hence, if t; = 1 (mod 20), then 
an optimal authentication code can be constructed for 
fc = 5 equiprobable source states, having v messages, 
and v{v — l)/20 encoding rules, that is one-fold secure 
against spoofing and provides perfect secrecy. 

• A Steiner 3-{v,4, 1) design (so-called Steiner quadruple 
system) exists if and only if w = 2 or 4 (mod 6). Hence, 
if ti = 2 (mod 24), then an optimal authentication code 
can be constructed for fc = 4 equiprobable source states, 
having v messages, and l)(i;— 2)/24 encoding rules, 
that is two-fold secure against spoofing and provides 
perfect secrecy. 



TABLE III 

Further authentication codes from Steiner t-DESicNS 



[5] 
[6] 



t 


k 


V 


b 


Design Parameters 


Design Reference 


[7] 


3 


5 


26 


260 


3-(26, 5, 1) 


Denniston design 






5 


11 


66 


4-(ll, 5, 1) 


Witt design 


[8] 




7 


23 


253 


4-(23, 7, 1) 


Witt design 






5 


23 


1.771 


4-(23, 5, 1) 


Denniston design 


[9] 




5 


47 


35.673 


4-{47, 5, 1) 


Denniston design 




4 


5 


83 


367.524 


4-(83, 5, 1) 


Denniston design 


[10] 




5 


71 


194.327 


4-{71, 5, 1) 


Mills design 


[11] 




5 


107 


1.032.122 


4-(107, 5, 1) 


[2] 




5 


131 


2.343.328 


4-{131,5, 1) 


[2] 


[12] 




5 


167 


6.251.311 


4-{167, 5, 1) 


[2] 






5 


243 


28.344.492 


4-{243,5, 1) 


[2] 






6 


12 


132 


5-{12, 6, 1) 


Witt design 


[13] 


5 


6 


84 


5.145.336 


5-(84, 6, 1) 


Denniston design 


[14] 




6 


244 


1.152.676.008 


5-{244, 6, 1) 


[2] 
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We present further optimal codes that are — l)-fold secure 
against spoofing and achieve perfect secrecy in Table III. We 
give the parameters of the authentication codes as well as of 
the respective Steiner t-designs. All presently known Steiner 
4-designs and 5-designs have been examined; for Steiner 
2-designs and 3-designs only the cases up to u = 30 have 
been investigated. We refer to [1], [2] for further information 
on the respective designs. 

VII. DISCUSSION 

It would be interesting for further research to examine 
authentication codes that are — l)-fold secure against spoof- 
ing and achieve two-fold perfect secrecy, and more generally 
[t — l)-fold perfect secrecy. For this the following condition 
must be satisfied: for every t* < t — 1, for every set M* of 
t* messages observed in the channel, and for every set S* of 
t* source states, we have p{S*\M*) = p{S*). 
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